On April 7, six federal agencies published a joint advisory confirming what we have been finding in our own work for months. Iranian state-sponsored hackers are actively exploiting internet-exposed Rockwell Automation PLCs in US water utilities and electrical distribution systems. Not theoretically. Not as a future risk. Right now, with confirmed operational disruptions already on the record.
If you run a municipal water system or a small electrical utility serving under 50,000 people, this advisory is describing your infrastructure.
What actually happened
The group behind the attacks is called CyberAv3ngers. They are affiliated with Iran's Islamic Revolutionary Guard Corps. They have been targeting the exact controllers that small and mid-sized water utilities and electrical utilities commonly operate: Rockwell Automation CompactLogix and other Allen-Bradley PLCs.
The method is straightforward. They use the same configuration software your engineers use, Studio 5000, to connect to PLCs that are reachable from the public internet. They exploit an authentication bypass vulnerability (CVE-2021-22681) that has been publicly known since 2021. Once connected, they can manipulate device configurations and disrupt operations.
This is not the first time. Aliquippa, Pennsylvania in November 2023. Oldsmar, Florida in February 2021. Muleshoe, Texas in January 2024. Three real municipal systems compromised through exactly this class of internet-facing control equipment. All of them were preventable.
Why small utilities keep showing up in these advisories
The pattern is not random. Small and mid-sized water and electrical utilities are the target because they are the easiest to reach.
Most communities under 50,000 population have no dedicated OT security staff. The IT provider covers office systems but does not touch control systems. Nobody is inventorying PLCs or checking firmware versions. Nobody knows what is internet-facing because nobody has looked. This is as common in municipal electrical systems as it is in water treatment plants.
The adversary knows this. They are not picking the hardest targets. They are picking the ones with the door open.
You can find out without touching your network
The first question any utility should be asking right now is whether their control equipment is visible from the public internet. That question is answerable today, without sending a single packet to your systems, without requiring credentials, and without disrupting operations.
The public internet is continuously indexed by aggregated intelligence sources. Industrial controllers that are directly reachable respond to ordinary network requests with information about themselves. That information is searchable.
At Sentinel OT, this is what we do. We use passive intelligence to identify externally observable exposure on water and electrical utility IT and OT infrastructure. Every finding is verified against the National Vulnerability Database and the CISA Known Exploited Vulnerabilities catalog before it goes into a report. No network access required. No VPN. No authentication. The method is entirely observational.
The result is a formal vulnerability report that documents exactly what is exposed, which CVEs apply, and what the remediation path looks like. Typical turnaround is one week.
The deadline and the money
Here is where the three threads come together.
The America's Water Infrastructure Act requires every community water system serving more than 3,300 people to complete a Risk and Resilience Assessment on a recurring cycle. The next recertification deadline for systems serving 3,301 to 49,999 people is June 30, 2026. That is ten weeks from today. Electrical utilities face parallel requirements under NERC CIP standards, which mandate documented assessments of cyber assets including control systems.
A passive vulnerability assessment directly supports both the RRA and NERC CIP documentation those deadlines require. It documents the external attack surface, identifies the specific CVEs that affect your equipment, and provides the remediation scope that your finance office needs to act on.
And the money to pay for it already exists. Federal SLCGP funds, state cybersecurity grants, and water and energy sector State Revolving Fund set-asides collectively allocate hundreds of millions of dollars every year to exactly this kind of work. Most of it goes unclaimed in the communities that need it most, because nobody on staff has the time to find it, apply for it, or manage the paperwork.
The threat is real. The deadlines are soon. The funding is available. All three converge right now.
If this describes your utility
We work with water and electrical utilities across the United States. If your community serves between 3,000 and 50,000 residents and you are not sure what is internet-facing on your control network, we should talk. No pitch, just a straightforward conversation about what we can see and what it means.